spsnj case study 2014
DESCRIPTION
SharePoint 2010 with ADFSTRANSCRIPT
Case Study: Transitioning to using
Active Directory Federation Services with SharePoint 2010
Joe KaramPrinceton University
Office of Information TechnologySharePoint Saturday New Jersey 2014
New Jersey SharePoint user group
• Different SharePoint discussions each month on various topics. Announced on meetup.com• Meets 4th Tuesday of every
month• 6pm – 8pm• Microsoft Office (MetroPark)• 101 Wood Ave, Iselin, NJ 08830• http://www.njspug.com
Thank You Event Sponsors
• Diamond & Platinum sponsors have tables here in the Fireside Lounge
• Please visit them and inquire about their products & services
• Also to be eligible for prizes make sure to get your bingo card stamped
Agenda
• introduction to SharePoint & ADFS @Princeton• advantages and concerns with transitioning to ADFS• configuration considerations with ADFS and SharePoint 2010• issues with migrating data between NTLM and ADFS SharePoint
environments• issues with using ADFS and AD Groups• cookie options with ADFS and impact on Office applications• troubleshooting issues with ADFS and user profile services• summary
Princeton SharePoint Implementation• Using SharePoint 2007 since 2008 • Currently migrating to SharePoint 2010 (over 80% complete)• Mostly used for internal department collaborations• Very little student use • Approximately 110 department sites• Approximately 750GB farm size• Some customized sites• Decentralized administration
What is Active Directory Federation Service (ADFS)?• Provides single sign-on to authenticate users to multiple web
applications in a single session using token claims.
• Allows organizations to provide access to trusted users from different domains.
• Domain users and groups are encoded to claim identities • READ: How claims encoding works in SharePoint 2010
Why did Princeton choose ADFS for SP 2010?• Consistent authentication experience for a variety of clients using
SharePoint 2010 from on-campus to all over the world
• Improve security for authentication with SharePoint
• Planning for the future migrating to Office 365 and using with other SSO applications.
• Microsoft “encouragement” to use claims based authentication and providing limited support for classic authentication
Princeton SharePoint 2010 Environment• Two virtual ADFS servers• Three virtual SharePoint 2010 front-end servers• Two virtual SharePoint 2010 application servers• SQL Cluster backend with SAN storage• F5 Load Balancer• Firewall• AvePoint DocAve management
Is it an F5 issue? An ADFS issue? A SharePoint issue?• Our first experience with ADFS, SharePoint 2010, and F5
• Microsoft technical support going back and forth between ADFS and SharePoint teams for troubleshooting
• Finding a trusted expert to assist us with integrating these services
ADFS Configuration Recommendations• Many useful resources are available• Primarily used Steve Peschka’s guide for configuring ADFS & SharePoint farm• Official Microsoft documentation
• Expiration time of token signing certificate between ADFS and SharePoint (x509 certificate)• Determine ADFS session cookie timeout to work properly with
SharePoint cookie timeout• Learn how the ForeFront Identity Manager interacts with the User
Profile Sync Service in SharePoint 2010
ADFS ClaimsViewer Example
Migrating data between ADFS (SP 2010) and NTLM (SP 2007)• Microsoft AD Claims mapping scripts & tools• Third Party Tools – AvePoint DocAve• Mapping users and groups properly• DOMAIN\USER to i:0ǵ.t|adfs 2.0|USER• DOMAIN\GROUP to c:0-.t|adfs 2.0|GROUP• Ensure AD Groups are listed as “Domain Group”
General Concerns #1
• Search Service Application requires an NTLM web application, but make sure you do not put search site in the Intranet zone. Use extranet, internet, or custom. Outlook uses intranet zone first as default when connecting to SharePoint.• Set session cookies to false (default) to ensure Office applications do
not need to re-authenticate (use persistent cookies)• Investigate whether F5 should use source IP address or cookie based
persistent type • Test Explorer View and Access DataSheet views to ensure they work
properly (hotfix for Access)
General Concerns #2• Built-in People Picker does not work effectively with ADFS. Build custom
people picker or try open source people picker.• InfoPath is not fully supported with ADFS• Incoming email requires changes to properly map users with trusted
identity provider• Test email-enabled AD Groups to ensure alerts work properly• “Sign In as Different User” does not work unless closing browser, run-as,
or in-private browsing?• Test Macintosh Microsoft Document Connection • Meeting Attendee lists require full email address
Summary
• Test, Test, Test – all clients, internal networks, internet, all critical functions• Monitor end-to-end validating ADFS and SharePoint are
authenticating users properly• SharePoint 2013 does resolve many issues (especially with cookies)• Just found: A good summary experience from Red Cross
Next Steps?
• Upgrading to SharePoint 2013 and Office 365
• Continue the discussion:• [email protected]• LinkedIn (jkaram)• Yammer (jkaram)• Twitter (@jkaram)
Appendix: Incoming email Commands• Need to have latest CU installed for SP 2010• Can run either:
$w = Get-SPWebApplication $w.Properties["disable-active-directory-resolve"] = "true" $w.Properties["enable-trusted-resolve"] = "true" $w.Update()
OR$farm = Get-SPFarm$farm.Properties["disable-active-directory-resolve"] = "true"$farm.Properties["enable-trusted-resolve"] = "true"$farm.Update()
Useful Security Powershell Commands• Get-SPTrustedIdentityTokenIssuer• Get-SPTrustedServiceTokenIssuer• Get-SPClaimProvider• Adding a new relying party trust to existing provider